Low Chance of Survival: Scripps Health Data Breach and Negligence Causes of Action
On April 29, 2021, Scripps Health (“Scripps”) suffered a ransomware attack in the unauthorized access of over 147,000 patients’ personal information. A few weeks later, Scripps announced the breach. As of writing this article, Scripps is still trying to determine the full extent of damage caused by the breach.
I previously wrote about the CCPA and California’s plaintiff’s rights in the event of a data breach. This article will explore California’s Plaintiff’s rights against healthcare providers in the event of a data breach.
Scripps is a private non-profit organization and one of San Diego’s largest healthcare providers. Scripps also processes the personal information of over 50,000 California residents. Scripps seemingly fits the description of a qualified business under CCPA 1798.140. However, the CCPA actually does not apply to Scripps for a few reasons.
First, Scripps is a non-profit private business, and the CCPA specially states that non-profit entities are exempt from this law. This also means that there can be no private right of action under the CCPA for those individuals who have been affected by this breach.
Second, because Scripps is a healthcare provider, it is required to abide by the Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health (“HITECH”). Generally, all private businesses that conduct business in California and control data including personal information are subject to data breach notification laws under the Customer Records Act (Cal. Code. Civ. § 1798.82). Further, under California law, personal information includes “medical information” which is defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” (Cal. Code. Civ. § 1798.81.5.) However, HIPAA and HITECH are federally regulated. Given that Scripps is a healthcare provider defined by HIPAA and HITECH, California rules regarding breach notification generally play second fiddle to the federal regulations. In fact, 1798.81.5(e)(5) states that compliance with these federal laws “shall be deemed compliance with this section” regarding disclosure.
HIPAA and HITECH have tighter standards for breach notification than most state laws. Unfortunately, there is also no private right of action for HIPAA or HITECH violations, including widespread data breaches like the Scripps incident. (See Acara v. Banks (5th Cir. 2006) 470 F.3d 569, 571. “Every district court that has considered this issue is in agreement that the statute does not support a private right of action.”) This doesn’t necessarily preclude Plaintiff’s from filing lawsuits. In fact, Plaintiffs may be able to file lawsuits for damages resulting from violations of state laws.
For instance, Section 56.101(a) of the California civil code requires healthcare providers such as Scripps to preserve the confidentiality of medical information. (Cal. Code. Civ. § 56.101.) Any healthcare provider who negligently fails to preserve this confidentiality “shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” (Id.) This seemingly opens the door for lawsuits against data breaches by healthcare providers. Indeed, there has been an increase in class action lawsuits involving data breaches by healthcare providers in California. However, the court in Sutter has made it more difficult to prove a breach of confidentiality under 56.101(a).
In Sutter, the court stated a plaintiff must allege that negligently released medical information was viewed by an unauthorized person. (Sutter Health v. Superior Court (2014) 227 Cal.App.4th 1546, 1557 [174 Cal.Rptr.3d 653] “No breach of confidentiality takes place until an unauthorized person views the medical information.”) In Sutter, Sutter Health had a computer stolen from one of its offices, wherein the computer contained medical records of over four million patients. (Id. at 1551.) The computer’s hard drive was password-protected but the files themselves were unencrypted. (Id.) The court briefly compared their facts to Regents, where the data thief stole both the encrypted information and the encryption key, clarifying that this was to “tantamount to leaving the files unencrypted.” (Id. at 1555, citing encryption Regents of University of California v. Superior Court (2013) 220 Cal.App.4th 549, 554 [163 Cal.Rptr.3d 205].) The facts in regents arguably show a more clear-cut case of the release of unencrypted personal information. However, the court in Sutter seemingly ignored any arguments of encrypted versus unencrypted. Instead, the court determined that, because there was no allegation that the released medical information had been viewed by an unauthorized party, there can be no breach of confidentiality. (Sutter at 1557.)
This was a critical blow to plaintiff’s rights because currently, HIPAA, HITECH, and California do not require breach notifications to include information of whether an unauthorized party has viewed the released medical records. Moreover, given that data breaches are mostly digital, it would be next to impossible for plaintiffs to determine whether an unauthorized party has viewed their personal information. Plaintiffs, then, are essentially forced to wait until they suffer actual injuries. However, by then, the damage done could be severe, long-lasting, or irreversible. As such, any plaintiffs currently engaged in class action lawsuits against Scripps may be in for a disappointment, especially for negligence causes of action under 56.101.
There may be other viable causes of action, but negligence is a big one. The healthcare industry spends billions of dollars on cybersecurity to eliminate the probability of negligence, and yet there have been nearly 800 breaches since the beginning of 2020. (ocrportal.hhs.gov.) This shows that even when careful, data breaches occur, which implies that negligence causes of action related to data breaches were likely already difficult to prove. Adding the requirement of “viewership” by an unauthorized party makes this obstacle that much more difficult to overcome. Still, one can only wait and see how courts will handle these new cases.